diff options
Diffstat (limited to 'source4/setup')
-rw-r--r-- | source4/setup/cn=samba-admin.ldif | 12 | ||||
-rw-r--r-- | source4/setup/cn=samba.ldif | 11 | ||||
-rwxr-xr-x | source4/setup/provision | 4 | ||||
-rwxr-xr-x | source4/setup/provision-backend | 6 | ||||
-rw-r--r-- | source4/setup/secrets_init.ldif | 2 | ||||
-rw-r--r-- | source4/setup/secrets_sasl_ldap.ldif | 9 | ||||
-rw-r--r-- | source4/setup/secrets_simple_ldap.ldif | 6 | ||||
-rw-r--r-- | source4/setup/slapd.conf | 39 |
8 files changed, 75 insertions, 14 deletions
diff --git a/source4/setup/cn=samba-admin.ldif b/source4/setup/cn=samba-admin.ldif new file mode 100644 index 0000000000..c59ffd9ab6 --- /dev/null +++ b/source4/setup/cn=samba-admin.ldif @@ -0,0 +1,12 @@ +dn: cn=samba-admin +objectClass: top +objectClass: person +cn: samba-admin +userPassword:: ${LDAPADMINPASS_B64} +structuralObjectClass: person +entryUUID: ${UUID} +creatorsName: +createTimestamp: ${LDAPTIME} +entryCSN: 20080714010529.241038Z#000000#000#000000 +modifiersName: +modifyTimestamp: ${LDAPTIME} diff --git a/source4/setup/cn=samba.ldif b/source4/setup/cn=samba.ldif new file mode 100644 index 0000000000..3be6242fe3 --- /dev/null +++ b/source4/setup/cn=samba.ldif @@ -0,0 +1,11 @@ +dn: cn=Samba +objectClass: top +objectClass: container +cn: Samba +structuralObjectClass: container +entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68 +creatorsName: +createTimestamp: 20080714010529Z +entryCSN: 20080714010529.194412Z#000000#000#000000 +modifiersName: +modifyTimestamp: 20080714010529Z diff --git a/source4/setup/provision b/source4/setup/provision index c1d6cd157a..7bd61fc1d8 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -30,7 +30,7 @@ import os, sys sys.path.insert(0, "bin/python") import samba - +from samba.credentials import DONT_USE_KERBEROS from samba.auth import system_session import samba.getopt as options from samba import param @@ -131,6 +131,8 @@ else: creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + setup_dir = opts.setupdir if setup_dir is None: setup_dir = "setup" diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend index 54dc5839bf..845dc8679a 100755 --- a/source4/setup/provision-backend +++ b/source4/setup/provision-backend @@ -49,8 +49,8 @@ parser.add_option("--domain", type="string", metavar="DOMAIN", help="set domain") parser.add_option("--host-name", type="string", metavar="HOSTNAME", help="set hostname") -parser.add_option("--ldap-manager-pass", type="string", metavar="PASSWORD", - help="choose LDAP manager password (otherwise random)") +parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD", + help="choose LDAP admin password (otherwise random)") parser.add_option("--root", type="string", metavar="USERNAME", help="choose 'root' unix username") parser.add_option("--quiet", help="Be quiet", action="store_true") @@ -96,7 +96,7 @@ if setup_dir is None: provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir, realm=opts.realm, domain=opts.domain, hostname=opts.host_name, - adminpass=opts.ldap_manager_pass, + adminpass=opts.ldap_admin_pass, root=opts.root, serverrole=server_role, ldap_backend_type=opts.ldap_backend_type, ldap_backend_port=opts.ldap_backend_port) diff --git a/source4/setup/secrets_init.ldif b/source4/setup/secrets_init.ldif index 9eda47e463..eb423a5122 100644 --- a/source4/setup/secrets_init.ldif +++ b/source4/setup/secrets_init.ldif @@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE #Add modules to the list to activate them by default #beware often order is important dn: @MODULES -@LIST: update_keytab,operational,objectguid +@LIST: update_keytab,operational,objectguid,rdn_name diff --git a/source4/setup/secrets_sasl_ldap.ldif b/source4/setup/secrets_sasl_ldap.ldif new file mode 100644 index 0000000000..81ccfee209 --- /dev/null +++ b/source4/setup/secrets_sasl_ldap.ldif @@ -0,0 +1,9 @@ +dn: CN=SAMDB Credentials +objectClass: top +objectClass: ldapSecret +cn: SAMDB Credentials +secret:: ${LDAPADMINPASS_B64} +samAccountName: ${LDAPADMINUSER} +realm: ${LDAPADMINREALM} + + diff --git a/source4/setup/secrets_simple_ldap.ldif b/source4/setup/secrets_simple_ldap.ldif new file mode 100644 index 0000000000..3f5ccd2df1 --- /dev/null +++ b/source4/setup/secrets_simple_ldap.ldif @@ -0,0 +1,6 @@ +dn: CN=SAMDB Credentials +objectClass: top +objectClass: ldapSecret +cn: SAMDB Credentials +secret:: ${LDAPMANAGERPASS_B64} +ldapBindDn: ${LDAPMANAGERDN} diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 15b9d3104e..b1ce6f6492 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema pidfile ${LDAPDIR}/slapd.pid argsfile ${LDAPDIR}/slapd.args sasl-realm ${DNSDOMAIN} -access to * by * write -allow update_anon +#authz-regexp +# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) -authz-regexp - uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) +#authz-regexp +# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) authz-regexp uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) + ldap:///cn=samba??one?(cn=\$1) + +authz-regexp + uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth + ldap:///cn=samba??one?(cn=\$1) + +access to dn.base="" + by dn=cn=samba-admin,cn=samba manage + by anonymous read + by * read + +access to dn.subtree="cn=samba" + by anonymous auth + +access to dn.subtree="${DOMAINDN}" + by dn=cn=samba-admin,cn=samba manage + by * read + +password-hash {CLEARTEXT} include ${LDAPDIR}/modules.conf @@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN} ${MEMBEROF_CONFIG} +database ldif +suffix cn=Samba +directory ${LDAPDIR}/db/samba + + database hdb suffix ${SCHEMADN} directory ${LDAPDIR}/db/schema @@ -78,9 +102,6 @@ index dnsRoot eq index nETBIOSName eq index cn eq -rootdn ${LDAPMANAGERDN} -rootpw ${LDAPMANAGERPASS} - #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov |